News:

cpg1.5.46 Security release - upgrade mandatory!The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.[more]

Hi, I am allowing users to upload their pictures and password protect their albums. I am having an issue where unlogged users can browse to Home > User galleries and see the thumbnail of the password protected album. This thumbnail is the last picture uploaded by the user in that album. If you click on the users gallery, you then see the lock symbol as you would expect. What setting am I missing?Thanks

ok I did a little digging and since individual pictures don't have permissions a fix will be a little difficult.

The code for selecting a thumb for the individual user category. We can probably just modify it to also select the aid and then check who is allowed to see it. Or we could add a setting to select the thumb like other categories.Line 654 in Rev 8514

Found the sql for that thumb. max pid or max galleryicon in the pictures table.

I assume you mean the 2 queries in bridge/udb_base.inc.php, right? I think we have check the content of $forbidden_with_icon, as it seems to be responsible to hide exclude pictures in password protected albums. Will perform some checks.

if (!$cpg_show_private_album && $FORBIDDEN_SET != "") { // $forbidden_with_icon = "$FORBIDDEN_SET or p.galleryicon=p.pid"; $forbidden_with_icon = "$FORBIDDEN_SET"; $forbidden = "$FORBIDDEN_SET"; } else { $forbidden_with_icon = ''; $forbidden = ''; }as we always need to hide pictures in password protected albums, regardless of the setting if a user can have a personal gallery at all or if the album will be hidden or displayed with the padlock icon.

If I replace all occurrences of $forbidden and $forbidden_with_icon with $FORBIDDEN_SET in list_users_query it seems to work as expected. Can anyone please confirm that there's no error in reasoning (and probably also test it), so I can commit that change? Thank you.

If I replace all occurrences of $forbidden and $forbidden_with_icon with $FORBIDDEN_SET in list_users_query it seems to work as expected. Can anyone please confirm that there's no error in reasoning (and probably also test it), so I can commit that change? Thank you.

Seems to work as expected for me.

Logged

It is a mistake to think you can solve any major problems just with potatoes.